Multiple LAN networks on one LAN Port
-
If your running a downstream router, ie you you state your 3650 is L3 and using a transit network of 192.168.1.0?
That seems like a asymmetrical mess waiting to happen to be honest, since you state if you put devices in 192.168.1 they work.. If your going to have a downstream router, ie L3 switch actually routing between vlans then the network that connects to pfsense should be transit and no hosts on it.
You then create your rules on pfsense to allow for the downstream networks. And once you setup the routes to these downstream networks it would auto do your outbound nat..
Use of a downstream router is a more complex setup, and really only suggest such design when needed and by someone that understands the complications involved with such a setup. Much simpler to just use your switch as L2 and let pfsense do all the routing and firewall between your network segments.
-
A diagram may help here.
You actually have three connections between the pfSense box and switch?
Steve
-
Attached my network diagram.
Please help me
-
In that case you should create a fourth network to connect pfSense to the switch. This is often called a transit network.
The only interfaces on this network should be router interfaces. No hosts.
Diagram attached. You can ignore the right hand side for your setup.
And since you have three completely different local networks you'll need three different static routes to the switch and three rules allowing the traffic on the pfSense interface and outbound NAT (or one rule passing a network alias containing all three subnets).
-
Thanks for your swift reply...
What i understood from the above suggestion is as follows...- I need to introduce another network (Transit)
- I need to create 3 static routes in CISCO L3 Switch
- I need to create 3 rules on LAN port in PF Sense box to allow internet.
Correct me if am wrong.
The diagram is bit confusing, a detailed help would be highly appreciable.
Thanks in advance
-
How is that diagram confusing? It shows your downstream router with a transit network...
This is exactly why you should not use a downstream router when clearly basic 101 routing is beyond your skillset..
Its your drawing with a transit
Is that better?
In your steps above you forgot the creation of the gateway. And you don't need 3 rules on lan... It could be done with simple edit of default lan rule from lan net to any..
I highly suggest you rethink using a downstream layer 3 and just use your switch as layer 2 and let pfsense do the routing... This gives you the added advantage of being able to actually firewall between your network segments. Currently your not that much better off then simple flat network, other then you have 3 broadcast domains.
If you can not understand the above diagram I doubt your running ACLs between your segments on your cisco..
Btw 172.28/16 really? You have some 65k hosts on this network? You have /24 on your other networks - how is that this 172.28 needs so big? Do you really have almost 65k hosts on this network??
If your addressing was better then your rule on your transit interface for the source could be say a simple 192.168.0/22
What did you have in place of pfsense before? Did you just have 3 different routers on each of these networks? You sure your switch is actually doing routing? Or are those 3 networks just at layer 2? You actually have svi's setup on those 2 other networks as gateways?
I have a funny feeling that you had 3 routers before and your switch while it might be L3 is just setup as L2, if even that - might even be just all be vlan 1? Be more than happy to help you set it up either way, but from that statement that the drawing is confusing I have a hard time believing that switch is actually routing.
-
Yes, what is your pfSense LAN interface configured as right now?
If you are able to get internet on the 192.168.1.0/24 segment and it turns out the LAN is in that subnet then that is all L2.
There are a lot of unknowns here.
Steve
-
@stephenw10 said in Multiple LAN networks on one LAN Port:
Yes, what is your pfSense LAN interface configured as right now?
From what he stated above
(The IP address of pfSense box is 192.168.1.247).
I would be more curious what the gateway is set for on the clients in the 192.168.1/24 network - and what they are set for in the other segments. Are they pointing to SVI's on the cisco? Can 192.168.1/24 access your other segments? Can your other segments access 192.168.1/24?
Just my guess but seems more like he is trying to combine his previous setup that had 3 routers using those 3 different segments into 1 box (pfsense) ? But that is just a guess - and it is common for users to state they have a L3 when all they are using it for is L2.. My sg300's at home are both in L3 mode - but I just use them as L2 for example... But the cisco sg300 is in fact capable of L3.
If memory serves more often then not when users state they have an L3 its not being used as such - which is always confusing ;)
How many interfaces does this pfsense box have? Are the 3 ISPs all public IPs into different physical interfaces, are they vlans into the same physical port on pfsense? Etc.. We can for sure help you with any sort of configuration you want - be it pfsense doing all the routing, be it with a downstream. But info is required to help you get to where you want - how are you wanting to leverage the 3 different ISP connections - in failover, in loadsharing - what are the speeds of the 3 different connections. Do any of them have IPv6 that you want/need to leverage, etc.
-
@johnpoz Nice, missed that!
In which case, yeah, I'd bet this is running layer2.
But if it isn't and it's somehow setup correctly as layer 2 to that segment only you need static routes in pfSense to the other subnets and firewall rules to allow them on LAN.
Steve
-
Hello all,
Sorry for the delay in responding.
First things first.
My present network is running on Fortigate firewall without any transit network (As my earlier diagram).
Am planning to move to PFSense.
My focus is to move from Fortigate to PFsense without disturbances.
Am attaching a more detailed diagram for better understanding....Now my only focus is to give internet to the users on 10.44.71.0/24 and 172.28.0.0/16 subnets. And by default 192.168.1.0/24 users are getting internet.
Let me know what should I do in PFSense firewall to allow internet to all the subnets.
Thanks in advance. -
That is an asymmetrical MESS!!
You should FIX that!!! is what you should do!!
-
Yes, there are a number of better ways to do this but.....
If it really is routing at the L3 switch you need to add 192.168.1.1 as a gateway in pfSense and then add static routes to 10.44.71.0/24 and 172.28.0.0/16 via that gateway.
Then add firewall rules on LAN to allow traffic from those subnets.
If your outbound NAT rules are still at automatic those sunbets should be included. If not then they will need manual rules there too.
Steve
-
What he should do is do it correctly with a transit - takes all of 2 minutes to just use a transit network..
-
Yup. Or use VLANs and layer 2 if you don't need the routing speed between those subnets the switch provides. Or do need the filtering pfSense would provide.
Steve
-
@vijaydsk said in Multiple LAN networks on one LAN Port:
Hello all,
Sorry for the delay in responding.
First things first.
My present network is running on Fortigate firewall without any transit network (As my earlier diagram).
Am planning to move to PFSense.
My focus is to move from Fortigate to PFsense without disturbances.
Am attaching a more detailed diagram for better understanding....Now my only focus is to give internet to the users on 10.44.71.0/24 and 172.28.0.0/16 subnets. And by default 192.168.1.0/24 users are getting internet.
Let me know what should I do in PFSense firewall to allow internet to all the subnets.
Thanks in advance.Care to share the running-config on cisco 3560 and interface assignments on pfSense?
-
-
Thank you.
With all your support I could able to give internet to all the links.@johnpoz
Yes I am in process of removing other networks apart from 172.28.0.0/16.
Once they removed only one big network will remain.
@stephenw10
I did as per your advise, I could able to give internet.
@Derelict
Thanks for giving me an idea, with which I could figure out the problem.Am attaching the backup (off course after taking precautions ) of my configuration.
It may be useful for any one who has got the same issue, they can follow the same.
Please let me know attaching backup is a violation, will remove for sure.0_1540451309619_config-pfSense.localdomain-20181020154833.xml